Form Access Security
The Form Access Security Tab within the Form Security Settings Window offers a number of important security settings. These settings control how and where a form can be accessed and provide an interface to define permissions at the workflow user level (if the form is used within a workflow. The various options and best practices for configuring them are explained in this article.
Workflow Member Database Security Settings
These settings are particularly important for Member Database Forms. When you select a Member Database as part of creating a Secure Workflow, or you allow Logiforms to generate the Member Database for you, the Form Access Security settings are automatically adjusted to follow best practices. Read on to learn more about best practice settings.Understanding Form Access Security Settings
Form Access Security Settings cover two distinct areas, Read Only Settings and Public Access Security.
Read Only Settings: Strict Read Only Mode
Property | Details |
---|---|
Enforce Strict Read Only Mode | Make all Read Only fields tamper proof via server side checks |
When Strict Read Only Mode is enabled, any field on your form, that has the Read Only Property set to true, will maintain the default value when the form is submitted. This setting ensures that even if Javascript is used to work around the field being read-only, changes will never be recorded, and the default value will always be used. This setting is enabled by default. This setting is important on Member Database Forms, where you may include a "role" or "access level" field (hidden) and want to ensure it can not be tampered with. Note that you can also use the approval processing mode to ensure that new entries in a form defined as a Member Database are not automatically allowed to login to a workflow via a Workflow Access Filter.
Changing Read-Only Fields
By default, read-only fields will be editable within Record Details Mode for authenticated administrators. Note, you can restrict which fields Sub users can see in Record Details View via a DataView.
If you Enable the "Restrict all Public Access" option, you will also be able to configure specific workflows and workflow users that will have the ability to edit Read-Only Fields.
Public Access Security
Property | Details |
---|---|
Restrict all Public Access | Disable all public access to the form |
Allow Direct Edit Access | When public access is disabled, optionally allow direct edit access |
Allow Respondent Update Mode | When public access is disabled, optionally allow respondent update mode login/editing. |
By enabling Public Access Security, you indicate that the form should not be publicly accessible by its public URL (i.e. http://forms.logiforms.com/formdata/user_forms/555555_999999/55555/). Once enabled, public access to the form is completely disabled. If your form is not meant to be filled out by the public (for example, it is a Dynamic Data Lookup Source or a Member Database), this setting should be enabled.
This setting is applied by default to all Workflow Member Database to ensure they can not be accessed directly. In the past, Approval Processing was used to restrict immediate access to a workflow after a new member entry was submitted. The introduction of Strict Read Only Mode and Public Access Security provide several new methods to manage entries into your Member Database.
When Public Access Security is enabled, new records can only be added via:
- New Entries can be made to the form by opening the form from within the Logiforms Interface by the account administrator or Sub User
- Access to submit new entries can be granted to specific workflows and specific workflow users (more on that below)
- Triggers
- API
Allow Direct Edit Access & Allow Respondent Update Mode
Direct Edit Access and Respondent Update Mode (via a login page) can be enabled even when public access to the form is denied. This enables records to be created by an administrator or authorized Workflow, while still allowing Direct Edit Access or Respondent Update Mode Logins.WorkFlow Permissions
If your account has Workflows enabled, once Public Access Security is enabled, you will also have the ability to define permissions at the Workflow and Workflow user level. This will enable forms to be accessed within Workflows. Click the Configure Permissions button to launch the Workflow Permissions window.
Defining Permissions for a Single User
- In the Permissions Editor, select the Workflow from the Workflow Panel
- Next, select the user you wish to apply permissions to from the Workflow Users Panel.
- With the user selected, check the boxes next to each permission you would like to grant the user.
- Click Save to save your changes. You also need to save changes from the Form Designers Menu to commit the changs.
Defining Permissions for all Users of a Workflow
- In the Permissions Editor, select the Workflow from the Workflow Panel
- Next, select ALL USERS from the Workflow Users Panel.
- Next, check the boxes next to each permission you would like to grant the user.
- Click Save to save your changes. You also need to save changes from the Form Designers Menu to commit the changes
The permissions configured within the Permissions Editor apply to the current form when accessed within a Workflow. Note, that permissions only apply to records the Workflow User is authorized to view.
Permission | Details |
---|---|
Allow New Submissions | Allow new form submissions / records to be created |
Allow Editing | Allow records to be edited |
Allow Delete | Allow records to be deleted from this form |
Release all Read Only Fields | Forms with ReadOnly Fields will have the Read Only setting removed. Typically reserved for Workflow Administrators |
Allow 2FA Setup to be Skipped | When set to true, these authenticated Workflow Users will be able to provision new user accounts and skip the 2FA setup. New users will be prompted to setup 2FA upon their first login. |
-
Colin Popenia I have a public-facing workflow. I'm still not clear on what combination of settings I should be using to allow users to self-register using the "New User Registration Page" in the workflow. After the recent security update, users now see "Access denied due to form security settings" on this page. I still see this error after adding "Allow New Submissions" and "Allow Editing" to "ALL USERS" in the Workflow Permissions Editor. I've also tried enabling "Direct Edit Access" and "Respondent Update Mode" but I am still seeing the "Access denied due to form security settings" error.
-
Clinton Tu Hi Colin,
If you are allowing users to register and gain immediate access, then you should de-select the "Restrict Public Access", option so that the form is publicly accessible again.
-
Colin Popenia OK great - thanks!
3 Comments